harkaz

harkaz, i appreciate the work that you have done.. i installed your "FIX" for the MS15-010/3013455 update, which, incidentally, took a leap of faith, since it is a modified "windows" file and it also requires installing a "certificate" for it.. with all of the talk about komodia's installing certificates etc, and with "privdog", and everything else associated with that, when you talk about installing a certificate (not to mention installing a modified windows file), it is concerning: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ http://www.pcworld.com/article/2887632/secure-advertising-tool-privdog-compromises-https-security.html i would like to know how to remove your certificate that i installed, in case i ever want to.. does it have a name? to remove the certificate, would you simply delete the "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\F2C90A445A5E0F0F79AEDEB694D50B9656B24A71" regkey, or would deleting that regkey cause problems with other certificates? i just wanted to mention something.. looking at the screenshot that you posted, you say that "the order of command execution is reversed", but there seems to be more to it.. in your screenshot, in the code in the window on the left, it has a "@sc1_InitializeTwilightcontours@12" while the code in the window on the right doesn't, at least that is the way that it looks to me.. maybe you already noticed that, or maybe i am confused and that actually was the point that you were making.. regarding the MS15-010/3013455 update, from what you have posted, it seems that the "win32k.sys" file that was installed by the 3013455 update was flawed, and that the 3037639 update, which was meant to fix the font problem, simply tweaks windows in order to allow it to use the flawed win32k.sys file, but without the font-problems.. tweaking windows to where it can use a flawed win32k.sys file (but without the font problems) doesn't sound good to me.. from reading some of the other posts here, it seems that some people opted to tweak the win32k.sys file themselves.. i suppose that they also had to use their own certificates in order for windows to allow the modified win32k.sys file to be installed and to run.. for the record, i don't know anything about "coding" software.. i am not an "expert".. i am just a regular home-computer-user.. 1. You will found the @sc1_InitializeTwilightcontours@12 if you follow the jmp instruction 2. I have done statistical analysis of the differences between the 2 MS patches (Server 2003) and I have found an equivalent patch for the NT5.1 win32k.sys. (It's not the same because the Server 2003 corrective patch is done via a function chunk, while my patch is simply a reversal of the function execution order). So crafting the patch is something more than intuition. 3. Deleting HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates\F2C90A445A5E0F0F79AEDEB694D50B9656B24A71 is enough to remove my CA from your system. All files signed with certificates chained to this CA will become untrusted. 4. It is possible to perform SSL hijacking by creating certificates signed with my certificate authority (provided you have the encryption keys of the CA, which you don't). Only if I decided/managed to inject a virus in your system would this be possible.

@Mister Floppy It will not be at the same offsets in German win32k.sys, you have to search the sequence of bytes before the patch to locate the exact offset in Hex editor.

@glnz I understand your frustration. Unfortunately, I don't have enough time to repeat the process for all XP languages or explain in thorough detail.

I don't think that they will release a version lower than 6734. The win32k.sys revision number was incremented by 21 in Server 2003 and should be the same with NT5.1 That's why I chose 6733.

@Atari800XL Creating your own catalog file for your patched, language-specific win32k.sys is required. Also, update the update.ver file with the new checksums. Otherwise, use the same zip structure. (Make sure it's language-specific) The version to patch is: 5.1.2600.6712 (botched KB3013455 from Microsoft Update catalog) Make sure you increment the version number at least by one (i.e. minimum 5.1.2600.6713) ADDED (forgot): Also, patch the language-specific update.exe to accept modified update.inf file, and use language-specific installation files.

A visual explanation of the patch:

Patch is ready. You can try it now. You'll need to have my CA root installed for the catalogs to install (double-click update\update.reg in .zip I uploaded BEFORE running update\update.exe). Fix: http://s000.tinyupload.com/?file_id=55128295046725465161

@Outbreaker Yes, I compared these two files. I'm trying to create a patch for XP's win32k.sys right now.

I think I have found a difference: The order of command execution is reversed.

@Outbreaker Instead of trying to replace the file, reverse engineer the latest patch and determine what necessary changes are required (if simple patching is possible). I wish I had more free time to delve into this. (I had started reading some classic books in reversing but I'm busy with many things...)

I have used Pelles C to compile these 3 EXEs: WindowsXP-USP4-v2-x86-ENU.exe\i386\root\dotnetfx\ndpsp.exe WindowsXP-USP4-v2-x86-ENU.exe\i386\root\dotnetfx\setup.exe WindowsXP-USP4-v2-x86-ENU.exe\i386\root\dotnetfx\dotnetfx.exe They are placeholders for some MCE disks. They do absolutely nothing (empty WinMain). I don't know why they are reported as malware. EDIT: The source code is ATTACHED. Aspuncln-PellesC.rar

The November 2014 post-SP4 Update Pack has been released. This update pack must be used with Windows XP SP4 Version 2- integrated media to Clean install Windows XP SP4 + all post-SP4 updates until November 2014 on your system. Latest Version: 22 November 2014 READ BEFORE DOWNLOADING: UNLIKE ALL OTHER UPDATE PACKS its integration is done in 3 steps: 1. Integrate the 7Z FILE in SP4 media using nLite or RyanVm Integrator. DO NOT perform any other tweaks YET. Close nLite or RyanVM Integrator and proceed with step 2. 2. Copy the CMPNENTS folder from the ZIP FILE to the installation directory. 3A. If you're using HOME Edition copy the HOME\I386\hivesft.inf file from the ZIP FILE to the I386 subfolder of the installation folder. OR: 3B. If you're using PROFESSIONAL Edition copy the PRO\I386\hivesft.inf file from the ZIP FILE to the I386 subfolder of the installation folder. WARNING: The post-sp4 update pack, unlike Windows XP Service Pack 4 v2, has undergone limited testing! It's designed primarily for Clean, CD-ROM/DVD-ROM-based installations This update pack is based on Onepiece's .NET Framework addons and 5eraph's POSReady addon. Verification Information for the UPDATE PACK: 1. SP4addon-Nov14.7z (22450838 bytes): MD5 - 93216D5D89ED33A314C1D087051DE417 2. sp4addon-manualcopy-Nov14.zip (22658042 bytes): MD5 - A4142AF8D18B8AC59522C0AA6604A246 Download from Post-SP4 Update Pack Google Drive folder.

@submix8c I'm afraid it's not patchable.. I have examined the CAB file and it is signed with a special Microsoft Update certificate. If you sign it with everything else it will redownload the muauth.cab from Windows Update.

Many thanks to b3270791 for reporting this workaround. This means we have to download Microsoft Update hotfixes for our software and keep them in an HDD because Microsoft may not fix this authorization.xml in the future...

This must be an issue with the update server. The problem appeared today for the first time, probably after the emergency patch was released. I was installing multiple Office versions in VM before MU broke...

If you're on a domain make sure you install the out-of-band MS14-068 patch ASAP. If an attacker gets admin credentials exploiting this flaw you won't be able to fix it with this update.

Windows XP SP4 Final Version 2.0 is now available! This version brings fixes to the original Final release: - Fixes issues with .NET Framework 3.5 and 4.0 servicing. .NET framework is now fully compatible with the .NET Framework repair tool. - Enables uninstallation of future .NET updates. - Fixes issues with Rosebud installation and Office 2007 - Fixes issues with Starter Edition slipstreaming - Fixes issues with Windows Imaging Component registration - Fixes issues with time reporting in many applications.

Download hashes and torrent for the fixed Final version are available. This version of SP4 Final has undergone extensive testing. It has been tested successfully in the following scenario: Clean Install -> Install .NET Framework 4.0 -> Install Visual Studio 2005 Standard ENU-> Run Microsoft Update and install all updates -> Install Visual Studio 2008 Profesional ENU -> Run Microsoft Update and install updates (these include some Office 2007 ones) -> Install Visual Studio 2010 Ultimate -> Run Microsoft Update and install updates. All components have been serviced successfully. This version fixes: - A time zone issue reported by GH0st - An important problem with WIC in CD-ROM installations. This would cause several .NET programs to crash. - Regression issue with Rosebud 12 and Office 2007 servicing. - urlmon.dll is missing after slipstreaming.

Removing this key fixes an issue with time reporting in some applications: HKLM,"System\CurrentControlSet\Control\Session Manager\Environment","TZ",0,"MEZ-1MESZ-2" The next, upcoming SP4 Final fix will address this isue, as well as Office 2007 and Rosebud 12 regression issues.

I'm preparing a new fixed version and I have removed all files. The new files will be available soon.

You can also use the excellent CFF Explorer.

Windows XP SP4 Source Files have been uploaded to Google Drive. You can download the rar file there and examine these files if you want to create a similar service pack for another language or with a different set of components. No documentation is provided. Use your own software publishing certificate to digitally sign the modified/updated files.

This fixit file MUST be used ONLY BY THOSE WHO DOWNLOADED AND INSTALLED THE 28 OCTOBER 2014 FINAL VERSION: http://www.adrive.com/public/prkHTM/netfx35_fixit.reg It fixes issues with .NET Framework 3.5 servicing! A new version of SP4 Final is being uploaded to address this specific issue.

@Phenomic Fortuunately I haven't experienced such issues with the latest version of the package installer. PS. Gurgelmeyer, the 2k USP5 developer, has disappeared since 2006

Yes, reinstalling Windows is the best way to fix everything. If you don't use .NET Framework try installing with .NET FW 1.1 and .NET FW 3.5 disabled by default - use the patched netfx11.inf and netfx35.inf files for this purpose. These files can be found in the Patches cloud folder.